CVE-2026-42351 - Vulnerability Details

Description

pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, a raw string path concatenation vulnerability in pygeoapi's STAC FileSystemProvider plugin can allow for requests to STAC collection based collections to expose directories without authentication. The issue manifests when pygeoapi is deployed without a proxy or web front end that would normalize URLs with .. values, along with a resource of type stac-collection defined in configuration. This issue has been patched in version 0.23.3.

Published: 2026-05-08

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A raw string path concatenation flaw in pygeoapi's STAC FileSystemProvider allows attackers to construct URLs containing directory traversal sequences, which the server passes through unfiltered to the underlying file system. This can expose configuration files, data sets, or other sensitive information in directories that should be inaccessible, thereby compromising confidentiality with no authentication required. The vulnerability correlates with CWE‑22, Path Traversal.

Affected Systems

The issue affects geopython's pygeoapi product, specifically versions from 0.23.0 up to but not including 0.23.3. Users running any of those releases with the STAC FileSystemProvider enabled and a stac-collection resource defined in the configuration are impacted.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, and while an EPSS score is not available, the exploitability is likely moderate due to the need for a configured STAC endpoint and deployment without a defensive proxy or URL normalizer. The vulnerability is not listed in CISA's KEV catalog, suggesting no documented public exploits yet, but the lack of authentication and the simplicity of the attack path make it attractive to adversaries. The attack vector is network-based, requiring the ability to send crafted HTTP requests to the vulnerable pygeoapi instance.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

geopython

pygeoapi

affected

Version	Status	Constraints
`>= 0.23.0, < 0.23.3`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to pygeoapi v0.23.3 or later, which removes the raw string concatenation flaw.
If an upgrade is not immediately possible, disable or remove the STAC FileSystemProvider plugin or any stac-collection configurations to eliminate the vulnerable code path.
Configure a reverse proxy or front-end that normalizes URLs and strips ".." path segments before they reach pygeoapi, or enforce authentication on STAC endpoints to prevent unauthenticated directory reads.

Generated by OpenCVE AI on May 8, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-f6pr-83pg-ghh6	pygeoapi 0.23.x: Path Traversal in STAC FileSystemProvider

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00094.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/geopython/pygeoapi/commit/bf25b8695edbdd5476eeffc102b633d1d3e45f52
https://github.com/geopython/pygeoapi/releases/tag/0.23.3
https://github.com/geopython/pygeoapi/security/advisories/GHSA-f6pr-83pg-ghh6

History

Fri, 08 May 2026 22:45:00 +0000

Type	Values Removed	Values Added
Description		pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, a raw string path concatenation vulnerability in pygeoapi's STAC FileSystemProvider plugin can allow for requests to STAC collection based collections to expose directories without authentication. The issue manifests when pygeoapi is deployed without a proxy or web front end that would normalize URLs with .. values, along with a resource of type stac-collection defined in configuration. This issue has been patched in version 0.23.3.
Title		pygeoapi: Path Traversal in STAC FileSystemProvider
Weaknesses		CWE-22
References		https://github.com/geopython/pygeoapi/commit/bf25b8695edbdd5476eeffc102b633d1d3e45f52 https://github.com/geopython/pygeoapi/releases/tag/0.23.3 https://github.com/geopython/pygeoapi/security/advisories/GHSA-f6pr-83pg-ghh6
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-08T22:31:18.001Z

Updated: 2026-05-08T22:31:18.001Z

Reserved: 2026-04-26T13:26:14.515Z

Link: CVE-2026-42351

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T23:16:38.170

Modified: 2026-05-08T23:16:38.170

Link: CVE-2026-42351

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-08T23:30:15Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object